Is creating a nonce token for custom meta_box redundant?

  • Hello.
    Just as explained at Codex page for a function “add_meta_box”, I added custom meta_box for a certain custom post type , like the following(using php5.3);

    add_action("add_meta_boxes_somepost_type", function(){
  add_meta_box("HooHoo","hoo", function($post){
    //render hidden input field for nonce
    wp_nonce_field("HooHoo","hoo");//<-----(*)

    //render some <input> or <select>elements...

    //(abbr.)

  );
};
add_action("save_post", function($post_id, $post){
  //verify nonce
  if(!wp_verify_nonce($POST["hoo"],"HooHoo")return;

  //and, verify anything else...

  add_post_meta($post_id, "hoo", sanitize_text_field($_POST["hoodata"]),true);
},10,2);

    Also the example code shown at Codex Page, a callback for “add_meta_box” creates a special nonce token (at the above code(*)) and an action hooked into “save_post” verifies the token. But a default nonce token “_wpnonce” is also created and is verified before executing save_post action by a function “check_admin_referer” and consequently verification for CSRF is nealy completed before verifying the special nonce created at meta_box. I think it redundant to create and check a nonce token peculiar for a certain plugin.
    Anyone knows reasons for creating such a nonce at meta_box?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    I’m not sure of this, but I believe this is because the ‘save_post’ action can fire for a number of reasons, some of which there may not be a meta box value to save in $_POST, resulting in an error when the code tries to access it. The nonce confirms the form existed for the particular action that fired.

    It would probably suffice to use array_key_exists() for this purpose because, as you pointed out, the security issues relating to nonce use are handled by the main form handler. In this case, I think the nonce is merely a flag for “safe to save value” as opposed to it’s normal use as “POST request is legitimate”.

    This is just my opinion. I speak with no special authority or knowledge of the Codex author’s intent.

    Thread Starter passepied

    (@passepied)

    Thank you for your opinion!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Is creating a nonce token for custom meta_box redundant?’ is closed to new replies.